JP2021120884A - Information processing device, information processing method, program, and recording medium - Google Patents

Abstract

To determine whether or not the compressed file with a password, which is attached to an electronic mail, is appropriate.SOLUTION: An information processing device includes: a separation notification part 20 which, when a first compressed file with the password is attached to the received electronic mail, stores the electronic mail in a temporary saving area, and notifies a recipient of the electronic mail that the electronic mail will be stored in the temporary saving area or has been stored; and a decompression part 30 in which compression of the first compressed file is decompressed by input of the password to take out a first file; and a determination processing part 40 for determining whether or not the first file is appropriate for the first file.SELECTED DRAWING: Figure 1

Description

The present invention relates to an information processing apparatus, an information processing method, a program and a recording medium for processing a compressed file.

Since there is a risk of being infected with a virus by conventionally received e-mails, it has been proposed to filter such e-mails. For example, Patent Document 1 discloses that a so-called "spoofing" e-mail is dealt with, stores an e-mail addressed to a user, and determines whether or not the e-mail addressed to the user is a spoofing mail. It is disclosed that a Web mail server is used.

If a compressed file with a password is attached to an e-mail, the suitability of the file cannot be determined. For this reason, it is not possible to determine inappropriate e-mails such as sender spoofing using compressed files.

Japanese Unexamined Patent Publication No. 2012-78922

The present invention provides an information processing device, a program, a recording medium, and an information processing method capable of determining whether or not a compressed file with a password attached to an e-mail is appropriate.

The information processing device according to the present invention
If the received e-mail has a first compressed file with a password attached, the e-mail is stored in the temporary evacuation area, and the e-mail is stored or stored in the temporary evacuation area. A separate notification unit that notifies the recipient of the e-mail,
A decompression unit that decompresses the compression of the first compressed file and extracts the first file by inputting the password,
A judgment processing unit that determines whether the first file is appropriate for the first file,
May be provided.

In the information processing apparatus according to the present invention
When the determination processing unit determines that the first file is appropriate, it sends the e-mail to the recipient, and when it determines that the first file is inappropriate, a predetermined action is taken. After executing the above, an e-mail in which the action is executed may be sent to the recipient.

In the information processing apparatus according to the present invention
When the determination processing unit transmits the e-mail to the recipient, the determination processing unit may attach and transmit the first compressed file after resetting the password.

In the information processing apparatus according to the present invention
When the determination processing unit sends the e-mail to the receiver, the determination processing unit may send the first compressed file in a state where the password is released to the receiver.

The information processing device according to the present invention
It also has a storage unit that stores the authorized sender.
When the sender is the authorized sender, the determination processing unit can use the first compressed file in the first compressed file even when the first compressed file in which the password is set is attached to the e-mail. It may be sent to the recipient of the email without determining if the first file is appropriate.

In the information processing apparatus according to the present invention
The determination processing unit may delete the first compressed file that was not decompressed by the decompression unit and send the e-mail to the recipient.

In the information processing apparatus according to the present invention
When the n + 1 compressed file is stored in the nth compressed file decompressed by the decompression unit (“n” is an integer of 1 or more), the determination processing unit determines that the n + 1 compressed file exists. Notify the recipient of the email and
When the password is input, the decompression unit decompresses the compression of the n + 1 compressed file and takes out the n + 1 file.
The determination processing unit may determine whether or not the n + 1 file is appropriate for the n + 1 file.

In the information processing apparatus according to the present invention
When the n + 1 compressed file is stored in the nth compressed file decompressed by the decompression unit (“n” is an integer of 1 or more), the decompression unit automatically assigns a password to the n + 1 compressed file. You may enter it.

In the information processing apparatus according to the present invention
If the n + 1 compressed file is not decompressed by the password automatically entered by the decompression unit, the determination processing unit may notify the recipient of the e-mail that the n + 1 compressed file exists. ..

In the information processing apparatus according to the present invention
When a plurality of n + 1 compressed files are stored in the nth compressed file decompressed by the decompression unit, the determination processing unit is appropriate for the n + 1 file in the n + 1 compressed file decompressed. Judging the nature, the n + 1 compressed file whose compression has not been decompressed may be deleted.

In the information processing apparatus according to the present invention
The upper limit of the number of layers to be decompressed by the decompression unit is set in advance, and when the upper limit is exceeded, the compressed file may not be decompressed by the decompression unit.

The information processing method according to the present invention
If the received e-mail has a first compressed file with a password attached, the e-mail is stored in the temporary evacuation area, and the e-mail is stored or stored in the temporary evacuation area. Notifying the recipient of the email and
By inputting the password, the compression of the first compressed file is decompressed and the first file is taken out.
Determining whether the first file is appropriate for the first file,
May be provided.

The program according to the present invention
A program that causes an information processing device to execute an information processing method.
The information processing device
If the received e-mail has a first compressed file with a password attached, the e-mail is stored in the temporary evacuation area, and the e-mail is stored or stored in the temporary evacuation area. Notifying the recipient of the email and
By inputting the password, the compression of the first compressed file is decompressed and the first file is taken out.
Determining whether the first file is appropriate for the first file,
The information processing method including the above may be executed.

The recording medium according to the present invention is
The above-mentioned program may be recorded.

In the present invention, when a compressed file with a password is attached to the received e-mail, the e-mail is stored in the temporary save area, and the e-mail is stored or stored in the temporary save area. When the recipient of the e-mail is notified of the fact, the compressed file is decompressed by inputting the password, the file is taken out, and the aspect of determining whether the file is appropriate for the file is adopted. Can quickly determine the suitability of a file stored in a compressed file with a password.

The figure which showed an example of the process flow by embodiment of this invention. The block diagram of the information processing apparatus which can be used in embodiment of this invention. The figure which showed the mode of camouflage about the link destination information which can be used in embodiment of this invention. The figure which showed an example of the notification screen which can be used in embodiment of this invention. The figure which showed an example of the password input screen which can be used in embodiment of this invention. The figure which showed an example of the hierarchy of the compressed file which can be used in embodiment of this invention. The figure which showed an example of the processing content at the time of decompressing the compressed file which can be used in embodiment of this invention.

Embodiment << configuration >>
Hereinafter, embodiments of the information processing apparatus according to the present invention will be described with reference to the drawings. In this embodiment, "or" also includes the meaning of "and". That is, in the present embodiment, A or B means any of A, B and A and B.

The information processing device of the present embodiment may be composed of one device, or may be composed of a plurality of devices. When the information processing device is composed of a plurality of devices, the devices constituting the information processing device may be installed in different rooms or different places, and a part of the information processing device and the rest of the information processing device are located in a remote place. May be placed in.

The information processing device of the present embodiment may be provided in the internal network, may be provided in a boundary (DMZ: DeMilitarized Zone) connecting the internal network and the external network, or may be provided in the external network. May be good. Information processing device is MTA (Message Tr)
It may be ansfer Agent).

As shown in FIG. 2, in the information processing apparatus of the present embodiment, when the storage unit 10 including the temporary save area and the first compressed file in which the password is set are attached to the received e-mail, the electronic file is attached. A separate notification unit 20 (see (2) in FIG. 1) that stores the mail in the temporary save area and notifies the recipient of the e-mail that the e-mail is stored or has been stored in the temporary save area, and a password. The decompression unit 30 that decompresses the compression of the first compressed file and extracts the first file by inputting, and the judgment processing unit 40 that determines whether the first file is appropriate for the first file. May have. The password for the first compressed file may be entered by the recipient of the notified e-mail (see (3) in FIG. 1). When performing a camouflage determination for determining whether or not the user is disguised, the temporary evacuation may be canceled and the temporary evacuation area may be moved to another area. Examples of the compressed file include a ZIP format file. The recipient of the e-mail is, for example, the e-mail address described in the "envelope To".

If it is not known whether or not a password has been set for the first compressed file, the determination processing unit 40 may determine whether or not the source is appropriate to the extent possible. A mode for determining whether or not the transmission source is appropriate will be described later. The determination processing unit 40 may determine whether or not the uncompressed file (normal file) is appropriate. The first compressed file and the uncompressed file (normal file) determined to be inappropriate by the determination processing unit 40 may be deleted by the determination processing unit 40.

As shown in FIG. 2, the storage unit 10 may be provided with a first storage unit 11 for storing received e-mails and a second storage unit 12 isolated from the first storage unit 11. When the judgment processing unit 40 determines that the sender of the e-mail is inappropriate, such as when the sender information of the e-mail is determined to be spoofed, the e-mail is sent to a second directory or the like. It may be stored in the storage unit 12.

The e-mail separated by the separation notification unit 20 and stored in the temporary evacuation area may be treated as an e-mail waiting for inspection and may be in a password input waiting state. At this time, the e-mail and the file such as the first compressed file may be stored without being separated. When such an aspect is adopted, it is advantageous in that the trouble of associating the e-mail with the file attached to the e-mail later can be saved. However, the present invention is not limited to this mode, and files such as the first compressed file may be stored separately from the e-mail.

The notification from the separation notification unit 20 to the recipient of the e-mail may be performed immediately after being separated and stored in the temporary evacuation destination, or may be repeatedly performed at predetermined intervals until the password is input. The predetermined interval may be 24 hours, and for example, a notification may be issued once a day at a set time.

The predetermined interval at which the notification is given may be shortened as time elapses, and the notification is given at the interval of the first hour until the first period elapses, and after the first period elapses, the second hour (second hour < Notifications may be given at intervals of (first hour). When such an aspect is adopted, the notification is frequently issued with the passage of time, and it is possible to prevent the receiver from forgetting to release the password lock. Further, when a certain period of time has passed, a emphasized message such as "Urgent" or "URGENT" may be displayed in the title.

The notification may be sent not only to the recipient but also to a preset administrator. When such an aspect is adopted, the administrator can also grasp that the compressed file in which the password is locked and the password is not released is stored.

The e-mail notified from the separate notification unit 20 may have the form shown in FIG. 4, and includes a message prompting the password input and link destination information for inputting the password (as a “password input screen” in FIG. 4). (Shown), email information including subject, date and time, sender and attached file information, and email body may be displayed. When such an aspect is adopted, the recipient of the e-mail cannot confirm the attached file, but it is advantageous in that the body of the e-mail can be confirmed. The title of the e-mail notified from the separation notification unit 20 may indicate that the password input is requested as shown in FIG. When such an aspect is adopted, the receiver can easily recognize that the password input is required. In the aspect shown in FIG. 4, it is also displayed that the control is performed by the filtering system "m-FILTER" (registered trademark).

When the recipient clicks the link destination information related to the password input screen, the password input screen as shown in FIG. 5 may be displayed. If there are multiple attachments, you may enter the password for each attachment. The present invention is not limited to this mode, and even if a plurality of attached files exist, the same password may be entered for each attached file. When you enter the password, you may mask it with ●●●. If an incorrect password is entered, an error message may be displayed. The password input is not limited to the mode performed from the password input screen as shown in FIG. 5, and may be performed by inputting the password in the reply mail to the notification mail to the recipient. If "English" is selected at the lower right of FIG. 5, sentences will be displayed in English.

On the password input screen, the information in the header From is displayed as the sender, and the headers To and CC may be displayed as the receiver. In addition, the body of the email may be hidden. This is because there is a danger in displaying the body of the email because it has not been rendered harmless.

It may be determined whether or not the determination processing unit 40 is appropriate for the first file in which the password is input and extracted (see (4) of FIG. 1). If the judgment processing unit 40 determines that it is appropriate, an e-mail is sent to the recipient, and if the judgment processing unit 40 determines that it is inappropriate, after executing a predetermined action. Then, the e-mail in which the action is executed may be sent to the recipient who is the recipient (see (6) in FIG. 1). If the link destination information is included in the first file, the appropriateness may be determined based on the link destination information. For example, if the display URL displayed as the link destination in the body of the first file is different from the actual URL that is the actual link destination (see FIG. 3A), the actual URL that is the actual link destination is prohibited. When the link is to a file with an extension (see Fig. 3 (b)), or when the prohibited keyword is displayed in association with the actual URL that is the actual link destination (see Fig. 3 (c)). When the actual URL that is the actual link destination includes the global IP (see Fig. 3 (d)), and the link destination information is included in the text in the first file, but no other information is described. In any one or more of the cases, it may be determined that the first file is inappropriate. The details of this point will be described later.

When the judgment processing unit 40 sends the e-mail to the recipient who is the receiving destination, the judgment processing unit 40 may send the e-mail with the first compressed file after resetting the originally set password. .. The present invention is not limited to such an aspect, and when the determination processing unit 40 sends an e-mail to the recipient who is the recipient, the determination processing unit 40 gives the recipient the first compressed file in the state where the password is released. You may send it.

The storage unit 10 may store the authorized transmission source as a white list. When the sender is a permitted sender, the determination processing unit 40 determines the first file in the first compressed file even if the first compressed file in which the password is set is attached to the e-mail. May be sent to the recipient of the e-mail without determining whether is appropriate (see (5) in FIG. 1). Further, when the sender is a permitted sender, the separation notification unit 20 may not separate the e-mail. As the permission transmission source, the sender's domain, IP address, and the like may be stored in the storage unit 10. As an example, by selecting the "trusted source" in FIG. 5, the domain, IP address, and the like of the target sender are stored in the storage unit 10 as the permitted transmission source. In this case, in the future, the e-mail from the sender will not be required to enter the password and will be sent to the recipient of the e-mail without determining whether the first file in the first compressed file is appropriate. (See (5) in FIG. 1). The source and the receiver may be associated with each other, stored in the storage unit 10, and white-listed by a combination thereof. By whitelisting the sender and recipient in this way, for example, when the first recipient receives an e-mail from the first sender, it is determined as an authorized sender, but the first When a second recipient, different from the recipient, receives an email from the first source, a password may be required to inspect the compressed file.

When the "untrusted source" in FIG. 5 is selected, the e-mail from the source may not be received. The source and the receiver may be associated with each other, stored in the storage unit 10, and blacklisted by a combination thereof. By combining the sender and the receiver in this way and blacklisting them, for example, when the first receiver receives an e-mail from the first sender, it is determined as a prohibited sender, but the first receiver. When a second recipient different from the person receives the email from the first source, the email is received as a normal sender, and when a compressed file is attached, a password is entered to inspect the compressed file. It may be requested. In addition, the mail for which "untrusted source" is selected may be deleted immediately.

On the other hand, if the sender is not registered as a permitted sender, it may be determined whether or not the sender is locked with a password (see (1) in FIG. 1).

The determination processing unit 40 may delete the first compressed file that has not been decompressed by the decompression unit 30 after a certain period of time has passed without the correct password being entered, and may send an e-mail to the recipient.

When the file has a multi-stage structure, notification by the separation notification unit 20, password input, and decompression may be repeated in each layer. That is, when the n + 1 compressed file is stored in the nth compressed file decompressed by the decompression unit 30 (“n” is an integer of 1 or more), the determination processing unit 40 means that the n + 1 compressed file exists. May be notified to the recipient of the email. The decompression unit 30 may decompress the compression of the n + 1 compressed file and take out the n + 1 file by inputting the password. The determination processing unit 40 may determine whether or not the n + 1 file is appropriate for the n + 1 file. For example, when the second compressed file is stored in the first file decompressed by the decompression unit 30 (see FIG. 6), the determination processing unit 40 determines that the second compressed file exists as the recipient of the e-mail. May be notified to. The decompression unit 30 may decompress the compression of the second compressed file and take out the second file by inputting the password. The determination processing unit 40 may determine whether or not the second file is appropriate for the second file.

When a plurality of n + 1 compressed files are stored in the nth compressed file decompressed by the decompression unit 30, the determination processing unit 40 determines whether the n + 1 file in the n + 1 compressed file decompressed is appropriate. The n + 1 compressed file whose compression has not been decompressed may be deleted while determining. Further, for the n + 1 compressed file in which the compression has not been decompressed, it may be determined whether or not it is appropriate to the extent possible. As an example of a mode for determining whether or not a compressed file is appropriate, the determination processing unit 40 uses the file name as a determination material, and one or more blanks are provided before the extension of the file name. , If the file name contains a prohibition control code, etc., it may be determined that the compressed file is inappropriate.

The upper limit of the layers to be defrosted by the defrosting unit 30 may be set in advance. If the upper limit is exceeded, the decompression unit 30 may not decompress the compressed file. In this case, the determination processing unit 40 may perform a camouflage determination on the compressed file that has not been decompressed by the decompression unit 30 to the extent possible. As the upper limit number of layers, for example, 3 to 10 may be used. If the compressed file and all the password locks of the file can be released, or if the upper limit of the hierarchy is exceeded, the determination processing unit 40 determines the appropriateness of the file for which the password lock has been released. You may.

When the file has a multi-stage structure, the determination processing unit 40 may input the password entered for the nth compressed file as the password for the file in the lower hierarchy such as the n + 1th compressed file. .. If the compressed file is not decompressed with this password, the separation notification unit 20 may notify and request the input of the password. When such an aspect is adopted, since the receiver is not required to input the common password, the troublesomeness as the receiver can be reduced.

Such password input may be repeated. For example, when the n + 2 compressed file is stored in the n + 1 compressed file, the determination processing unit 40 inputs the password entered for the nth compressed file as the password for the n + 1 compressed file. You may decompress and enter the same password for the n + 2 compressed file in the decompressed n + 1 file.

The storage unit 10 may store the password list. The password in the password list is stored in association with the sender, and the password for the sender may be automatically entered for the file attached to the e-mail from the sender. For example, one or more primary passwords are associated with the primary sender, and the password for the primary sender is automatically assigned to the file attached to the email from the primary sender. It may be entered. Similarly, one or more secondary passwords are associated with the secondary sender, and the password for the secondary sender is automatic for files attached to emails from the secondary sender. It may be input with. Registration in the password list may be limited to persons with certain authority such as an administrator. The recipient may be able to register in the password list when entering the password. The registered sender address may be paired with the password and whitelisted, or the pre-registered password may be paired with the sender address and whitelisted.

The determination processing unit 40 may sequentially apply a plurality of passwords stored in the storage unit 10 to the password-locked file attached to the e-mail. When the password cannot be released even if the plurality of passwords stored in the storage unit 10 are sequentially applied, the separation notification unit 20 separates the e-mail and notifies that the e-mail is separated or separated. You may do it.

When the preset retention period has expired, the e-mail stored in the temporary evacuation area may be automatically sent to the recipient. The retention period may be set, for example, several hours, one day, three days, or the like. It can also be set as "same day", and if it is set as "same day", the holding time will be set until the date changes.

When the preset retention period has passed and the e-mail is automatically transmitted, the determination processing unit 40 may determine the appropriateness of the e-mail to the extent possible. Even in the case of automatic transmission, if the determination processing unit 40 determines that the file is inappropriate, the attached file may be deleted. However, it may be possible to set whether or not to delete the attached file at the time of automatic transmission, or it may be set so that the file is not deleted. If it is automatically transmitted, that fact may be stated in the body, title, or the like of the e-mail. When such an aspect is adopted, the recipient can recognize that only a simple spoofed mail judgment is performed, and if the recipient feels the need, the file attached to the e-mail The password may be released so that the determination processing unit 40 can determine the fake email.

The format of the compressed file is typically ZIP, but various formats such as TAR, CAB, 7z, and RAR can be used. The format of the compressed file that can be decompressed may be set in advance. In this case, if the file is attached to an e-mail in the form of a compressed file that cannot be decompressed, the compressed file may be deleted. Moreover, even if it is a compressed file format that can be decompressed, the compressed file may be deleted in a predetermined case. As an example, even if a ZIP-compressed file can be decompressed, if the compressed file is encrypted with AES128 / 192/256, the compressed file should be deleted. May be good. Further, instead of deleting, the determination processing unit 40 may perform a camouflage determination to the extent possible.

If the file cannot be inspected, the password is not entered, the password is entered incorrectly but a certain amount of time has passed, or the password is entered incorrectly more than a certain number of times, the hierarchy of the attached file is the upper limit of the hierarchy. It can be mentioned that the number exceeds the above and it cannot be determined whether the password is locked, or the format of the password-locked attached file is not supported by the system.

As an action (control mode) for a file that could not be inspected, either transmission, quarantine, or deletion may be set. If it is determined to be quarantined or deleted, any of the administrator, recipient and sender may be notified. Notifications to administrators, recipients and senders may include information about the subject and body of the email in question. In addition, screen information as shown in FIG. 4 may be transmitted by e-mail.

If the hierarchy of the attached file exceeds the upper limit of the hierarchy and it cannot be determined whether the password is locked, only the file of the unzipped hierarchy may be attached and the e-mail may be sent, or the unzipped hierarchy may be sent. You may want to delete the file including the above file before sending the e-mail.

The attached file may be detoxified. As the detoxification process, for example, the macro may be removed after unlocking the password of the attached file, or the attached file may be deleted. The attached file from which the macro has been removed may be compressed in a ZIP format or the like using the original password, attached to the original e-mail, and sent to the recipient. Further, the attached file from which the macro has been removed may be compressed in a ZIP format or the like without a password being applied, attached to the original e-mail, and sent to the recipient. In addition, the attached file from which the macro has been removed may be attached to the original e-mail and sent to the recipient without being compressed. When the detoxification process is performed, the receiver may be notified of the content of the detoxification process.

It should be noted that the compression may be performed in a format different from the original compression format. For example, when it was attached to the original email, it was compressed in the first format, but when it is compressed again after the password is unlocked, it is compressed in a second format (for example, ZIP) that is different from the first format. You may do so. Even if it was compressed in the second format when it was attached to the original e-mail, it may be compressed in the second format. When such an embodiment is adopted, it is possible to compress in a uniform format (second format) when recompressing, which is advantageous in that control becomes easy.

If the file attached to the e-mail uses a prohibited extension, if the file name has multiple extensions, one or one before the file name extension of the file attached to the e-mail If there are multiple blanks, the file name attached to the e-mail contains a prohibition control code, the file attached to the e-mail is an executable file, the file in the e-mail However, when the body of the e-mail is empty, the determination processing unit 40 may determine that the e-mail information may be inappropriate. In these cases, even if the file is password-locked, it can be determined whether or not it is appropriate without releasing the password lock, and these aspects are included in the above-mentioned "possible range" determination.

As an example of the prohibited extension, the mode in which "exe" is used such as "Quotation.exe", and the mode in which "exe" is used,
Examples of modes in which multiple extensions are used, such as "Quotation.pdf.exe", can be mentioned. As an example of the prohibition control code, an embodiment in which "RLO" is used, such as "Quotation (RLO) xcod.exe", can be mentioned. Here, "RLO" is "Right-to-Left Override", which is a symbol for reversing the left-right arrangement of horizontally written characters. By using such "RLO", it may be used to prevent the user from recognizing that it is an executable file, so it is judged that the mail information may be inappropriate. May be good. When the file is an executable file, for example, "exe", "dll", "obj", "sys", "com"
Examples of the mode in which the extension such as is used can be mentioned. The prohibited control code or extension may also be input from an input means such as the input unit 90 shown in FIG.

Even if the file attached to the e-mail is in a prohibited format or the file attached to the e-mail contains a macro, the judgment processing unit 40 determines that the e-mail information may be inappropriate. You may.

As an example of the case where a blank is provided before the extension of the file name of the file attached to the e-mail, for example, the mode in which the file name is "Quotation .exe" can be mentioned. Further, when the number of blanks provided before the extension of the file name is a certain value (for example, 5 words) or more, the determination processing unit 40 may determine that the mail information may be inappropriate. .. The number of blanks may also be input from an input means such as the input unit 90.

Even when the file attached to the e-mail contains a URL inappropriate for viewing, the determination processing unit 40 may determine that the e-mail information may be inappropriate. The inappropriate URL may be a URL (blacklist information) registered in the storage unit 10 in advance.

When the impersonation determination is performed on the file, the receiver may be notified of the content of the impersonation determination and the result thereof. This notification may be made by adding to the body of the e-mail to be delivered, or may be sent as an e-mail separate from the e-mail to be delivered.

Inappropriate files may be collected by a honey pod or the like and the hash value of the file may be obtained. Then, this hash value may be blacklisted and compared with the hash value of the file to be inspected.

Virus detection may be performed by antivirus software or the like for the e-mail stored in the second storage unit 12 such as the quarantined e-mail (see (7) in FIG. 1). Further, among the e-mails stored in the second storage unit 12, the e-mails detected as dangerous by the antivirus software may be automatically deleted. When such an aspect is adopted, the number of e-mails stored in the second storage unit 12 can be reduced, and for example, the burden of appropriateness evaluation by an in-house manager can be reduced.

Further, the e-mail stored in the second storage unit 12 may be automatically deleted after a lapse of a predetermined time. The predetermined time for deleting the e-mail may be input from the input unit 90 or may be preset. Further, the input unit 90 may be able to switch ON and OFF of such an automatic deletion function.

The number of e-mails stored in the second storage unit 12, the number of e-mails according to the date and time, etc. may be notified to the administrator, or may be stored in the storage unit 10 so that the administrator can appropriately check the number of e-mails. You may become. When such an aspect is adopted, it is advantageous in that it is possible to confirm the number of e-mails judged to be inappropriate and the increase / decrease in the number of e-mails along the time axis.

A relay unit 50 (see FIG. 2) may be provided to relay web access from an internal terminal in the internal system. When the determination processing unit 40 determines that the mail information is inappropriate based on the link destination information, the relay unit 50 stores the link destination in the storage unit 10 and denies the access of the internal terminal to the link destination. May be good. The internal terminal means an information processing device such as a personal computer connected to an internal network. The storage unit 10 may store the information of the e-mail in association with the link destination. The e-mail information may include the body of the e-mail, the date and time of acquisition, the sender address, etc., and if a file is attached to the e-mail, the information of the file is also included in the e-mail information. It may be.

The link destination information may include all information regarding the link destination obtained from the body of the email, the attached file attached to the e-mail, the macro of the attached file, and the like. Further, the mail body may include both a text format and an HTML format, and for the HTML format, the URL of the link portion may be acquired. Access to the URL stored in the storage unit 10 and whose access is prohibited by the relay unit 50 may be permitted via the input unit 90.

Even if the files are divided as a result of the division of the e-mail, the determination processing unit 40 may combine the divided files and restore them into one file. Then, the determination processing unit 40 may determine the appropriateness of the restored file.

Next, other aspects of determining whether or not the source is appropriate will be described below.

[Sender information]
First, a mode in which the determination processing unit 40 determines that the received e-mail information may be inappropriate based on the sender information will be described.

The determination processing unit 40 may acquire the camouflage determination information from the external terminal 100 provided outside the internal network and determine whether the sender information of the e-mail is spoofed by using the camouflage determination information. At this time, the determination processing unit 40 may determine whether the source information is disguised by comparing the camouflage determination information with the source information. The external terminal 100 may be, for example, a DNS (Domain Name System) server. The camouflage determination information may be, for example, an SPF (Sender Policy Framework) record. Whether the sender information of the e-mail is spoofed may be determined by using the connection source IP address, the sender email address, the FQDN (Fully Qualified Domain Name) of the connection source MTA, or the like.

The determination processing unit 40 may determine whether the source information is spoofed by using the source information other than the spoofing determination information. As an example, if the header destination (header From) and the envelope destination (envelope From) do not match, it may be determined that the e-mail may be inappropriate.

If the number of relay servers (the number of Received headers) passed from the source to the receiver is greater than or equal to a predetermined threshold, for example, "Received: from [20x.0.xxx.1] by example1.ne.jp" If a statement such as "Tue, 14 Sep 2010 15:16:37 JST" is included in a number equal to or greater than the threshold value, the determination processing unit 40 may determine that the e-mail may be inappropriate. .. Further, the threshold value may be predetermined or may be changed from the input unit 90.

When the e-mail is received via an unexpected waypoint (for example, China, Russia, etc.), the determination processing unit 40 may determine that the e-mail may be inappropriate. At this time, the country may be specified by the IP address of Received: from [20x.0.xxx.1]. Further, an unexpected waypoint may be predetermined or may be changed from the input unit 90.

When the sender uses a mail software different from the mail software previously used to send the e-mail, the determination processing unit 40 may determine that the e-mail may be inappropriate. The mail software previously used is stored in the storage unit 10, and the judgment processing unit 40 compares the mail software stored in the storage unit 10 with the mail software used in the sent e-mail. You may judge. It may be input from the input unit 90 that there is no problem even if the mail software is different for the sender. In this case, the mail sent later to the sender of the mail is sent. The e-mail software may be stored in the storage unit 10 as correct, or both the e-mail software that has been used before and the e-mail software that has been sent later may be stored as correct.

When the sender uses free mail to send an e-mail, the determination processing unit 40 may determine that the e-mail may be inappropriate. In this case as well, it may be input from the input unit 90 that there is no problem in using the free mail for the sender, and in this case, the free mail is used for the sender. The e-mail may be stored in the storage unit 10 as if there is no problem.

[Link information]
Next, a mode in which the determination processing unit 40 determines that the received e-mail information may be inappropriate based on the link destination information will be described.

When the e-mail contains the link destination information, the determination processing unit 40 may determine whether the e-mail is appropriate based on the link destination information. In this aspect, when the display URL displayed as the link destination in the e-mail and the actual URL that is the actual link destination are different from each other, the determination processing unit 40 becomes the actual link destination (see FIG. 3A). When the actual URL is a link to a file with a prohibited extension (see Fig. 3 (b)), and when the prohibited keyword is displayed in association with the actual URL that is the actual link destination (Fig. 3 (c)). ), When the actual URL that is the actual link destination contains the global IP (see Fig. 3 (d)), and when the link destination information is included in the e-mail but the body of the e-mail is empty. Etc., it may be determined that the e-mail may be inappropriate. The "link destination information" in the present embodiment includes all information regarding the link destination obtained from the email body, the attached file attached to the e-mail, the macro of the attached file, and the like. Therefore, when the URL information is included in the compressed file from which the password has been released, the appropriateness of the e-mail may be determined using the URL information as described above.

In the embodiment shown in FIG. 3A, the e-mail address of "http://technet.ABC.com " is displayed as the display URL in the body of the e-mail, but the actual URL is " http://technet. It is "ABC.com.xx", and they are different. In the embodiment shown in FIG. 3B, the file is "uploaded file.exe" and "exe" is added, which is a link to a file having a prohibited extension. In the embodiment shown in FIG. 3C, the prohibited keyword "authenticate now" is displayed in association with the actual URL. Here, the fact that the prohibited keyword is "related to the actual URL" means that the prohibited keyword is displayed before and after the actual URL, or an arrow appears from the prohibited keyword to point to the actual URL. It means an aspect. The prohibited keywords may be input, added, deleted, modified, or otherwise changed from the input unit 90. In the aspect shown in FIG. 3 (d), the global IP "123.45.67.89 " is included.

The determination processing unit 40 may determine that the e-mail may be inappropriate when the redirect URL including the shortened URL is used. Redirecting means going through another server without connecting directly to the server where the content is stored. The shortened URL is a shortened URL of a long character string, and it is conceivable that it is used to connect to the original long URL by using a redirect.

If the text does not include "all" but only "part" of the name registered in the storage unit 10 or the like, the URL may be spoofed. In this case, the determination processing unit 40 is electronic. You may decide that the email may be inappropriate. As an example, when "example.com" is registered, the case where the URL "http://example.com.xxxx/xxxxxx" is described can be mentioned.

[Text information]
Next, a mode in which the determination processing unit 40 determines that the received e-mail information may be inappropriate based on the text information will be described.

The determination processing unit 40 may determine that the e-mail may be inappropriate based on the body information of the e-mail.

If the body of the e-mail contains a language other than the specified language, for example, if it contains Chinese characters other than Japanese such as traditional Chinese and simplified Chinese, the judgment processing unit 40 may have inappropriate e-mail. You may judge that there is. The permitted language or the prohibited language may also be input from the input unit 90.

When the body of the e-mail contains a non-existent organization or company name or telephone number, the determination processing unit 40 may determine that the e-mail may be inappropriate. When this aspect is adopted, the determination processing unit 40 may be able to acquire information on an existing organization, company name, telephone number, and the like. Information on such an existing organization, company name, telephone number, etc. may be stored in the storage unit 10 or may be stored in an external storage unit provided in the external device. The external device in the present embodiment means any device other than the information device of the present embodiment.

If the sender's email address and the email address described in the signature of the email body are different, the determination processing unit 40 may determine that the email may be inappropriate. In addition, the judgment processing unit 40 may determine that the e-mail may be inappropriate when the text contains the content requesting the description of the ID or password.

If nothing is described in the text, the determination processing unit 40 may determine that the e-mail may be inappropriate.

Further, when the text includes "numerical character reference", the determination processing unit 40 may determine that the e-mail may be inappropriate. The "numerical character reference" means that a "character string" and a "numerical character" correspond to each other and can be converted to each other. The judgment processing unit 40 is "&#22823;&#25163;&#30010;&#12398;&#26576;&#27861;&#24459;&#20107;&#21209;&#25152;&#12391; If a pre-specified "numeric character" such as "&#24453;&#12387;&#12390;&#12356;&#12414;&#12377;" is included in the text, then "numeric" It may be judged that "character reference" is included, or it is judged whether or not the "numerical character" as described above can be returned to the "character string" according to a predetermined rule, and the "character string" is not a problem. If it can be returned to "", it may be determined that "numerical character reference" is included in the text. As an example, the above-mentioned "&#22823;
&#25163;&#30010;&#12398;&#26576;&#27861;&#24459;&#20107;&#21209;&#25152;&#12391;&#24453;&#12387;&# The "numeric character""12390;&#12356;&#12414;&#12377;" is converted to the character string "waiting at a law firm in Otemachi" by applying a predetermined rule. be able to. In this way, if the "numerical character" can be returned to the "character string" without any problem, the judgment processing unit 40 may include the "numerical character reference" in the body of the e-mail, and the e-mail may be inappropriate. You may judge that there is. In this section, the description will be made using a mode in which the "text" includes a "numerical character reference", but the present invention is not limited to this, and for example, the e-mail title includes a "numerical character reference". In this case, the determination processing unit 40 may determine that the e-mail may be inappropriate.

The storage unit 10 may store the reason why the e-mail is determined to be inappropriate and make it searchable. For example, if it is determined that the e-mail may be inappropriate because the file contains a prohibited extension, it is stored in the storage unit 10 so that it can be searched by the administrator. May become.

The setting of the received mail control method may be changed for each group. An administrator may be set for each group. The members of the group may be able to change accordingly. When the members in a group are duplicated, it may be possible to appropriately select which group control method is applied.

If the determination processing unit 40 determines that the received e-mail may not be appropriate, the e-mail may be stored in the second storage unit 12 described above.

The determination processing unit 40 may delete the e-mail that is determined to be inappropriate. If you want to delete an email, you may want to keep only the log. By deleting the e-mail in this way, it is possible to prevent an accident such as the e-mail being opened by mistake.

In addition, when the attached file is deleted, the URL information is deleted, or some detoxification process is performed, the detoxification process is performed and / or the content of the detoxification process is invisible to the user (for example,). It may be added or modified in the header). By recording such processing, the administrator or the like may be able to search the target e-mail later.

In addition, when the e-mail is detoxified, the detoxification process and / or the content of the detoxification process is described in the body of the e-mail and sent to the recipient and the administrator. May be done.

When the mail body is in HTML format, the actual URL may not be displayed, so the determination processing unit 40 may acquire information about the actual URL.

Allowed URL information may be stored in a storage means such as a storage unit 10 as information related to a URL without a problem. Even if the e-mail contains URL information, if the URL information corresponds to the permitted URL information, the determination processing unit 40 may determine that the e-mail has no problem.

The storage unit 10 may store the other party whose transmission / reception has been performed a predetermined number of times (for example, 10 times) or more as the permission transmission source information. Further, the predetermined number of times may also be input from the input unit 90 and can be changed.

The storage unit 10 may store the URL that the judgment processing unit 40 determines to be problematic, and by comparing the URL with the URL stored in this way, the judgment processing unit 40 receives the e-mail from the next time onward. Appropriateness may be judged. When the storage unit 10 stores the URL determined to have a problem in this way, the storage unit 10 may also store the information of the e-mail in which the URL is described, attached, or the like. The information in this e-mail may include the body of the e-mail, the date and time of acquisition, the sender address, etc., and if a file is attached to the e-mail, the information in the file is also included in the information in the e-mail. May be included.

The determination processing unit 40 does not have to determine the appropriateness of the e-mail (sender impersonation, etc.) with respect to the e-mail transmitted via the internal network without going through the external network.

In the present embodiment, an information processing method in all aspects of the information processing device described above, a program for generating the information processing device, and a recording medium including a USB memory, a CD, a DVD, etc. on which the program is recorded are also provided. ..

The information processing device of the present embodiment is generated by installing a program such as a server program. This program may be delivered by e-mail, may be obtained by accessing a predetermined URL and then logged in, or may be recorded on a recording medium. The information processing method of this embodiment is carried out by an information processing device in which the above program is installed.

"effect"
Next, the effects of the present embodiment having the above-described configuration, which have not been described yet, will be mainly described. Any configuration described in "Effect" can be used as the configuration of the present embodiment.

When a compressed file with a password is attached to the received e-mail, the e-mail is stored in the temporary save area, and the e-mail is stored or stored in the temporary save area. If you notify the recipient of the email, decompress the compressed file by entering the password, extract the file, and determine whether the file is appropriate for the file, the password will be Appropriateness can be quickly judged for the files stored in the set compressed file. First, by notifying the recipient, it can be expected that the password will be entered promptly. Further, when the file is stored in the compressed file in which the password is set, the appropriateness cannot be judged for the stored file, but according to this embodiment, the file is stored in the compressed file in which the password is set. Can be judged as appropriate even if is stored.

In the present embodiment, if the file is determined to be appropriate, an e-mail is sent to the recipient, and if the file is determined to be inappropriate, a predetermined action is performed, and then the action is performed. If the mode of sending the executed e-mail to the recipient is adopted, the recipient will receive the e-mail after appropriate measures have been taken.

When the judgment processing unit 40 sends an e-mail to the recipient, if the judgment processing unit 40 adopts a mode in which the first compressed file after resetting the password is attached and sent, the original e-mail is sent. E-mail can be sent to the recipient in a manner substantially the same as.

When the judgment processing unit 40 sends an e-mail to the recipient, if the judgment processing unit 40 adopts the mode of transmitting the first compressed file in the state where the password is released to the recipient, the receiver is renewed. There is no need to enter a password, which saves time and effort.

If the sender is an authorized sender, the email will not be judged as to whether the file in the compressed file is appropriate, even if the email is accompanied by a compressed file with a password. When the mode of sending to the recipient of the above is adopted, it is advantageous in that it is not necessary to judge the appropriateness of the e-mail from the sender which the user judges to be safe.

When the mode of deleting the first compressed file that was not decompressed by the decompression unit 30 and sending the e-mail to the recipient is adopted, it is possible to prevent the first compressed file whose appropriateness cannot be confirmed from being sent to the recipient. However, the text of the e-mail can be sent to the recipient.

When the n + 1 compressed file is stored in the nth compressed file (“n” is an integer of 1 or more), the determination processing unit 40 notifies the recipient of the e-mail that the n + 1 compressed file exists. A mode in which the decompression unit 30 decompresses the compression of the n + 1 compressed file and extracts the n + 1 file by inputting a password, and the determination processing unit 40 determines whether the n + 1 file is appropriate for the n + 1 file. When is adopted, the appropriateness can be judged for the files in the folder even when the folder has a multi-layer structure.

When a plurality of n + 1 compressed files are stored in the nth compressed file decompressed by the decompression unit 30, the judgment processing unit 40 is appropriate for the n + 1 file in the n + 1 compressed file decompressed. When the property was judged and the mode of deleting the n + 1 compressed file that was not decompressed was adopted, the appropriateness could not be confirmed while confirming the appropriateness for the decompressed file. The security can be ensured by deleting the compressed file.

The upper limit of the hierarchy to be decompressed by the decompression unit 30 is set in advance, and if the mode in which the decompression unit 30 does not decompress the compressed file when the upper limit is exceeded, the decompression of the compressed file is performed. The upper limit can be set, and the load on the determination processing unit 40 can be limited.

The determination processing unit 40 has an artificial intelligence function, and may learn the password for the sender by using the relationship between the sender information and the password information used for decompression as teacher data. When such an aspect is adopted, it is possible to increase the possibility that the compressed file can be decompressed without inputting the password from the receiver.

When the relay unit 50 adopts a mode in which the determination processing unit 40 denies access to the internal terminal based on the link destination information when the determination processing unit 40 determines that the mail information is inappropriate based on the link destination information.
Not only can you prevent access to dangerous websites using e-mail, but you can also prevent access to dangerous websites even for employees who have not received e-mails of questionable suitability. Is beneficial.

When the mode in which the access to the URL whose access is prohibited by the relay unit 50 is permitted via the input unit 90 is adopted, for example, the access to the URL determined to be safe by the administrator can be permitted. This is useful in that it is possible to prevent the access restriction to the URL from becoming unnecessarily excessive.

The description of the embodiment and the disclosure of the drawings described above are merely examples for explaining the invention described in the claims, and are described in the claims by the description of the above-described embodiments or disclosure of the drawings. The inventions made are not limited. The description of the scope of claims at the time of filing can be changed as appropriate within the scope of the patent specification, and the scope can be extended.

Each component including the separation notification unit 20, the decompression unit 30, the judgment processing unit 40, the relay unit 50, the storage unit 10, etc. of each of the above embodiments is a logic circuit formed in an integrated circuit such as an IC chip or an LSI. It may be realized by (hardware) or a dedicated circuit, or it may be realized by software using a CPU, memory, or the like. Further, each component may be realized by one or a plurality of integrated circuits, and a plurality of components may be realized by one integrated circuit. Further, the control unit may be conceived as a component including the separation notification unit 20, the decompression unit 30, the judgment processing unit 40, the relay unit 50, and the like.

10 Storage unit 11 First storage unit 12 Second storage unit 20 Separation notification unit 30 Decompression unit 40 Judgment processing unit 50 Relay unit

Claims (14)

If the received e-mail has a first compressed file with a password attached, the e-mail is stored in the temporary evacuation area, and the e-mail is stored or stored in the temporary evacuation area. A separate notification unit that notifies the recipient of the e-mail,
A decompression unit that decompresses the compression of the first compressed file and extracts the first file by inputting the password,
A judgment processing unit that determines whether the first file is appropriate for the first file,
An information processing device characterized by being equipped with. When the determination processing unit determines that the first file is appropriate, it sends the e-mail to the recipient, and when it determines that the first file is inappropriate, a predetermined action is taken. The information processing apparatus according to claim 1, wherein an e-mail in which the action is executed is transmitted to the receiver after executing the above. The second aspect of the present invention is characterized in that when the determination processing unit transmits the e-mail to the recipient, the determination processing unit attaches and transmits a first compressed file after resetting the password. The information processing device described. The second aspect of claim 2 is that when the determination processing unit transmits the e-mail to the receiver, the determination processing unit transmits the first compressed file in a state where the password is released to the recipient. The information processing device described. It also has a storage unit that stores the authorized sender.
When the sender is the authorized sender, the determination processing unit can use the first compressed file in the first compressed file even when the first compressed file in which the password is set is attached to the e-mail. The information processing apparatus according to any one of claims 1 to 4, wherein the first file is transmitted to a recipient of the e-mail without determining whether or not the first file is appropriate. The determination processing unit according to any one of claims 1 to 5, wherein the determination processing unit deletes the first compressed file that has not been decompressed by the decompression unit and sends the e-mail to the recipient. Information processing device. When the n + 1 compressed file is stored in the nth compressed file decompressed by the decompression unit (“n” is an integer of 1 or more), the determination processing unit determines that the n + 1 compressed file exists. Notify the recipient of the email and
When the password is input, the decompression unit decompresses the compression of the n + 1 compressed file and takes out the n + 1 file.
The information processing apparatus according to any one of claims 1 to 6, wherein the determination processing unit determines whether or not the n + 1 file is appropriate for the n + 1 file. When the n + 1 compressed file is stored in the nth compressed file decompressed by the decompression unit (“n” is an integer of 1 or more), the decompression unit automatically assigns a password to the n + 1 compressed file. The information processing apparatus according to any one of claims 1 to 6, wherein the information processing apparatus is input. When the n + 1 compressed file is not decompressed by the password automatically entered by the decompression unit, the determination processing unit notifies the recipient of the e-mail that the n + 1 compressed file exists. The information processing apparatus according to claim 8. When a plurality of n + 1 compressed files are stored in the nth compressed file decompressed by the decompression unit, the determination processing unit is appropriate for the n + 1 file in the n + 1 compressed file decompressed. The information processing apparatus according to any one of claims 7 to 9, wherein the sex is determined and the n + 1 compressed file whose compression has not been decompressed is deleted. Claims 1 to 10, wherein the upper limit of the hierarchy to be decompressed by the decompression unit is set in advance, and when the upper limit is exceeded, the compressed file is not decompressed by the decompression unit. The information processing apparatus according to any one of the following items. If the received e-mail has a first compressed file with a password attached, the e-mail is stored in the temporary evacuation area, and the e-mail is stored or stored in the temporary evacuation area. Notifying the recipient of the email and
By inputting the password, the compression of the first compressed file is decompressed and the first file is taken out.
Determining whether the first file is appropriate for the first file,
An information processing method characterized by being provided with. A program that causes an information processing device to execute an information processing method.
The information processing device
If the received e-mail has a first compressed file with a password attached, the e-mail is stored in the temporary evacuation area, and the e-mail is stored or stored in the temporary evacuation area. Notifying the recipient of the email and
By inputting the password, the compression of the first compressed file is decompressed and the first file is taken out.
Determining whether the first file is appropriate for the first file,
A program characterized by executing an information processing method. A recording medium on which the program according to claim 13 is recorded.

Images